MW-SEC-015: disable backup in AndroidManifest

[pabloescincau]

closes #1981

set allowBackup to false and added dataExtractionRules
for Android 12+ to prevent sensitive data from being backed up

Summary by CodeRabbit

• Chores
  • Modified application backup behavior settings. Added configuration for data extraction rules to control which data is handled during cloud backups and device transfer operations. Specific data categories are now excluded from backup and extraction processes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 286245a1-9aab-47b0-83d8-a98527a754f1

📥 Commits

Reviewing files that changed from the base of the PR and between 0403be7 and 1725033.

📒 Files selected for processing (2)

• cmp-android/src/main/AndroidManifest.xml
• cmp-android/src/main/res/xml/data_extraction_rules.xml

---

📝 Walkthrough

Walkthrough

The PR disables Android backup functionality and adds data extraction rules to prevent sensitive data exposure. Specifically: android:allowBackup changed to false, android:fullBackupContent set to false, and a new data_extraction_rules.xml file excludes root domain data from cloud backups and device transfers.

Changes

Cohort / File(s)	Summary
Android Manifest Security Configuration cmp-android/src/main/AndroidManifest.xml	Disabled application backup with android:allowBackup="false" and android:fullBackupContent="false"; added reference to data extraction rules via android:dataExtractionRules="@xml/data_extraction_rules".
Data Extraction Rules cmp-android/src/main/res/xml/data_extraction_rules.xml	New file defining data extraction rules that exclude root domain from cloud-backup and device-transfer operations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related issues

• [MEDIUM] MW-SEC-015: Disable Backup in AndroidManifest #1981: [MEDIUM] MW-SEC-015: Disable Backup in AndroidManifest — The PR directly implements the technical changes specified in this security audit finding by disabling Android backup functionality and configuring data extraction rules.

Poem

🐰 Backups blocked, data tucked away safe,
No ADB sneaking through the front gate,
Root domain excluded with care,
Security hardened—a rabbit's affair! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: disabling backup in AndroidManifest by setting android:allowBackup to false.
Linked Issues check	✅ Passed	All coding requirements from issue #1981 are met: android:allowBackup set to false, android:fullBackupContent set to false, and dataExtractionRules added for Android 12+ support.
Out of Scope Changes check	✅ Passed	All changes are directly related to the security vulnerability fix in issue #1981; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use OpenGrep to find security vulnerabilities and bugs across 17+ programming languages.

OpenGrep is compatible with Semgrep configurations. Add an opengrep.yml or semgrep.yml configuration file to your project to enable OpenGrep analysis.